From d2d6fd1f559e650a61c46217cba333323c5621dc Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 19 Sep 2025 12:18:47 +0100 Subject: [PATCH 01/42] reduce packaging time by building only two binaries --- .nfpm.amd64.yaml | 60 ++++++++++++++++++++++++++++++++++++++++++++++ .nfpm.arm64.yaml | 60 ++++++++++++++++++++++++++++++++++++++++++++++ .nfpm.yaml | 2 +- Makefile.packaging | 42 ++++++++++++++++---------------- 4 files changed, 143 insertions(+), 21 deletions(-) create mode 100644 .nfpm.amd64.yaml create mode 100644 .nfpm.arm64.yaml diff --git a/.nfpm.amd64.yaml b/.nfpm.amd64.yaml new file mode 100644 index 000000000..8d7d1e085 --- /dev/null +++ b/.nfpm.amd64.yaml @@ -0,0 +1,60 @@ +# this is the base "template" for the package +name: nginx-agent +description: NGINX Agent +arch: amd64 +version: ${VERSION} +priority: optional +vendor: NGINX Software, Inc. +maintainer: NGINX Inc. +homepage: https://github.com/nginx/agent +license: Apache 2.0 +contents: + - src: ./build/amd64/nginx-agent + dst: /usr/bin/nginx-agent + - src: nginx-agent.conf + dst: /etc/nginx-agent/nginx-agent.conf + type: config|noreplace + file_info: + mode: 0640 + - src: ./scripts/packages/nginx-agent.service + dst: /etc/systemd/system/nginx-agent.service + - src: ./scripts/packages/nginx-agent.openrc + dst: /etc/init.d/nginx-agent + packager: apk + - src: ./scripts/nginx-agent.logrotate + dst: /etc/logrotate.d/nginx-agent + - src: ./scripts/selinux/nginx_agent_selinux.8 + dst: /usr/share/man/man8/nginx_agent_selinux.8 + packager: rpm + - src: ./scripts/selinux/nginx_agent.if + dst: /usr/share/selinux/devel/include/contrib/nginx_agent.if + packager: rpm + - src: ./scripts/selinux/nginx_agent.pp + dst: /usr/share/selinux/packages/nginx_agent.pp + packager: rpm + - dst: /var/log/nginx-agent + type: dir + - dst: /var/lib/nginx-agent + type: dir +overrides: + deb: + depends: + - apt-transport-https +#deb: +# signature: +# method: dpkg-sig +# key_file: ".key.asc" +#rpm: +# signature: +# key_file: ".key.asc" +apk: +# signature: +# key_file: ".key.rsa" + scripts: + preupgrade: "./scripts/packages/preinstall.sh" + postupgrade: "./scripts/packages/postinstall.sh" +scripts: + preinstall: "./scripts/packages/preinstall.sh" + postinstall: "./scripts/packages/postinstall.sh" + preremove: "./scripts/packages/preremove.sh" + postremove: "./scripts/packages/postremove.sh" diff --git a/.nfpm.arm64.yaml b/.nfpm.arm64.yaml new file mode 100644 index 000000000..20d635efd --- /dev/null +++ b/.nfpm.arm64.yaml @@ -0,0 +1,60 @@ +# this is the base "template" for the package +name: nginx-agent +description: NGINX Agent +arch: arm64 +version: ${VERSION} +priority: optional +vendor: NGINX Software, Inc. +maintainer: NGINX Inc. +homepage: https://github.com/nginx/agent +license: Apache 2.0 +contents: + - src: ./build/arm64/nginx-agent + dst: /usr/bin/nginx-agent + - src: nginx-agent.conf + dst: /etc/nginx-agent/nginx-agent.conf + type: config|noreplace + file_info: + mode: 0640 + - src: ./scripts/packages/nginx-agent.service + dst: /etc/systemd/system/nginx-agent.service + - src: ./scripts/packages/nginx-agent.openrc + dst: /etc/init.d/nginx-agent + packager: apk + - src: ./scripts/nginx-agent.logrotate + dst: /etc/logrotate.d/nginx-agent + - src: ./scripts/selinux/nginx_agent_selinux.8 + dst: /usr/share/man/man8/nginx_agent_selinux.8 + packager: rpm + - src: ./scripts/selinux/nginx_agent.if + dst: /usr/share/selinux/devel/include/contrib/nginx_agent.if + packager: rpm + - src: ./scripts/selinux/nginx_agent.pp + dst: /usr/share/selinux/packages/nginx_agent.pp + packager: rpm + - dst: /var/log/nginx-agent + type: dir + - dst: /var/lib/nginx-agent + type: dir +overrides: + deb: + depends: + - apt-transport-https +#deb: +# signature: +# method: dpkg-sig +# key_file: ".key.asc" +#rpm: +# signature: +# key_file: ".key.asc" +apk: +# signature: +# key_file: ".key.rsa" + scripts: + preupgrade: "./scripts/packages/preinstall.sh" + postupgrade: "./scripts/packages/postinstall.sh" +scripts: + preinstall: "./scripts/packages/preinstall.sh" + postinstall: "./scripts/packages/postinstall.sh" + preremove: "./scripts/packages/preremove.sh" + postremove: "./scripts/packages/postremove.sh" diff --git a/.nfpm.yaml b/.nfpm.yaml index ece9110c1..f8a4ac256 100644 --- a/.nfpm.yaml +++ b/.nfpm.yaml @@ -1,7 +1,7 @@ # this is the base "template" for the package name: nginx-agent description: NGINX Agent -arch: ${ARCH} +arch: ${ARCH} # Duplicate this file to create .nfpm.amd64.yaml and .nfpm.arm64.yaml with amd64/arm64 values version: ${VERSION} priority: optional vendor: NGINX Software, Inc. diff --git a/Makefile.packaging b/Makefile.packaging index 7f09250af..1d2720b93 100644 --- a/Makefile.packaging +++ b/Makefile.packaging @@ -35,70 +35,72 @@ $(PACKAGES_DIR): @mkdir -p $(PACKAGES_DIR)/deb && mkdir -p $(PACKAGES_DIR)/rpm && mkdir -p $(PACKAGES_DIR)/apk .PHONY: package -package: gpg-key $(PACKAGES_DIR) #### Create final packages for all supported distros +package: $(PACKAGES_DIR) #### Create final packages for all supported distros + + # Build binaries for both amd64 and arm64 + for arch in $(DEB_ARCHS); do \ + mkdir -p $(BUILD_DIR)/$${arch}; \ + GOWORK=off CGO_ENABLED=0 GOARCH=$${arch} GOOS=linux \ + go build -pgo=auto -ldflags=${LDFLAGS} \ + -o $(BUILD_DIR)/$${arch}/$(BINARY_NAME) \ + $(PROJECT_DIR)/$(PROJECT_FILE); \ + done; \ + + find $(BUILD_DIR) -type f -name $(BINARY_NAME) -exec cp {} $(BINARY_PATH) \;; \ + # Create deb packages - @for arch in $(DEB_ARCHS); do \ - GOWORK=off CGO_ENABLED=0 GOARCH=$${arch} GOOS=linux go build -pgo=auto -ldflags=${LDFLAGS} -o $(BINARY_PATH) $(PROJECT_DIR)/$(PROJECT_FILE); \ + for arch in $(DEB_ARCHS); do \ for distro in $(DEB_DISTROS); do \ deb_codename=`echo $$distro | cut -d- -f 2`; \ - VERSION=$(PACKAGE_VERSION)~$${deb_codename} ARCH=$${arch} nfpm pkg --config .nfpm.yaml --packager deb --target ${PACKAGES_DIR}/deb/${PACKAGE_PREFIX}_$(PACKAGE_VERSION)~$${deb_codename}_$${arch}.deb; \ + VERSION=$(PACKAGE_VERSION)~$${deb_codename} nfpm pkg --config .nfpm.$$arch.yaml --packager deb --target ${PACKAGES_DIR}/deb/${PACKAGE_PREFIX}_$(PACKAGE_VERSION)~$${deb_codename}_$${arch}.deb; \ done; \ - rm -rf $(BINARY_PATH); \ done; \ # Create rpm packages - @GOWORK=off CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -pgo=auto -ldflags=${LDFLAGS} -o $(BINARY_PATH) $(PROJECT_DIR)/$(PROJECT_FILE) - @for distro in $(RPM_DISTROS); do \ + for distro in $(RPM_DISTROS); do \ rpm_distro=`echo $$distro | cut -d- -f 1`; \ rpm_major=`echo $$distro | cut -d- -f 2`; \ rpm_codename='na'; \ if [ "$$rpm_distro" = "suse" ]; then rpm_codename="sles$$rpm_major"; \ fi; \ if [ "$$rpm_codename" != "na" ]; then \ - VERSION=$(PACKAGE_VERSION) ARCH=amd64 nfpm pkg --config .nfpm.yaml --packager rpm --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.${RPM_ARCH}.rpm; \ + VERSION=$(PACKAGE_VERSION) ARCH=amd64 nfpm pkg --config .nfpm.amd64.yaml --packager rpm --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.${RPM_ARCH}.rpm; \ fi; \ done; \ - rm -rf $(BINARY_PATH) # Create redhat rpm packages - @for arch in $(REDHAT_ARCHS); do \ + for arch in $(REDHAT_ARCHS); do \ goarch=amd64; \ if [ "$$arch" = "aarch64" ]; then goarch="arm64"; fi; \ - GOWORK=off CGO_ENABLED=0 GOARCH=$${goarch} GOOS=linux go build -pgo=auto -ldflags=${LDFLAGS} -o $(BINARY_PATH) $(PROJECT_DIR)/$(PROJECT_FILE); \ for distro in $(REDHAT_VERSIONS); do \ rpm_distro=`echo $$distro | cut -d- -f 1`; \ rpm_major=`echo $$distro | cut -d- -f 2`; \ rpm_codename="el$$rpm_major"; \ - VERSION=$(PACKAGE_VERSION) ARCH=$${arch} nfpm pkg --config .nfpm.yaml --packager rpm --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.$${arch}.rpm; \ + VERSION=$(PACKAGE_VERSION) ARCH=$${arch} nfpm pkg --config .nfpm.$$goarch.yaml --packager rpm --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.$${arch}.rpm; \ done; \ - rm -rf $(BINARY_PATH); \ done; \ # Create amazon rpm packages - @for arch in $(AMAZON_ARCHS); do \ + for arch in $(AMAZON_ARCHS); do \ goarch=amd64; \ if [ "$$arch" = "aarch64" ]; then goarch="arm64"; fi; \ - GOWORK=off CGO_ENABLED=0 GOARCH=$${goarch} GOOS=linux go build -pgo=auto -ldflags=${LDFLAGS} -o $(BINARY_PATH) $(PROJECT_DIR)/$(PROJECT_FILE); \ for version in $(AMAZON_VERSIONS); do \ rpm_major=`echo $$version | cut -d- -f 2`; \ rpm_codename="amzn$$rpm_major";\ - VERSION=$(PACKAGE_VERSION) ARCH=$${arch} nfpm pkg --config .nfpm.yaml --packager rpm --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.$${arch}.rpm; \ + VERSION=$(PACKAGE_VERSION) ARCH=$${arch} nfpm pkg --config .nfpm.$$goarch.yaml --packager rpm --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.$${arch}.rpm; \ done; \ - rm -rf $(BINARY_PATH); \ done; \ # Create apk packages @for arch in $(APK_ARCHS); do \ goarch=amd64; \ if [ "$$arch" = "aarch64" ]; then goarch="arm64"; fi; \ - GOWORK=off CGO_ENABLED=0 GOARCH=$${goarch} GOOS=linux go build -pgo=auto -ldflags=${LDFLAGS} -o $(BINARY_PATH) $(PROJECT_DIR)/$(PROJECT_FILE); \ for version in $(APK_VERSIONS); do \ if [ ! -d "$(PACKAGES_DIR)/apk/v$${version}/$${arch}" ]; then mkdir -p $(PACKAGES_DIR)/apk/v$${version}/$${arch}; fi; \ - VERSION=$(PACKAGE_VERSION) ARCH=$${arch} nfpm pkg --config .nfpm.yaml --packager apk --target $(PACKAGES_DIR)/apk/v$${version}/$${arch}/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).apk; \ + VERSION=$(PACKAGE_VERSION) ARCH=$${arch} nfpm pkg --config .nfpm.$$goarch.yaml --packager apk --target $(PACKAGES_DIR)/apk/v$${version}/$${arch}/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).apk; \ done; \ - rm -rf $(BINARY_PATH); \ done; \ # Package build complete From 51d031e642f32f731304efa73040ee06dbfe1b7a Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 26 Sep 2025 17:52:16 +0100 Subject: [PATCH 02/42] use pushd --- Makefile.packaging | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.packaging b/Makefile.packaging index 1d2720b93..2a4270aa2 100644 --- a/Makefile.packaging +++ b/Makefile.packaging @@ -113,7 +113,7 @@ package: $(PACKAGES_DIR) #### Create final packages for all supported distros find $(PACKAGES_DIR)/apk ;\ # Create tarball containing all packages - cd $(PACKAGES_DIR) && tar -czvf "./$(TARBALL_NAME)" * && cd ../..; \ + pushd $(PACKAGES_DIR) && tar -czvf "./$(TARBALL_NAME)" * && popd; \ .PHONY: gpg-key gpg-key: ## Generate GPG public key From 8512685d22aee5257c17cf8ea104e20be0f88fba Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Tue, 30 Sep 2025 13:12:35 +0100 Subject: [PATCH 03/42] tidy up console output --- Makefile.packaging | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Makefile.packaging b/Makefile.packaging index 2a4270aa2..e73afd627 100644 --- a/Makefile.packaging +++ b/Makefile.packaging @@ -46,7 +46,8 @@ package: $(PACKAGES_DIR) #### Create final packages for all supported distros $(PROJECT_DIR)/$(PROJECT_FILE); \ done; \ - find $(BUILD_DIR) -type f -name $(BINARY_NAME) -exec cp {} $(BINARY_PATH) \;; \ + @echo "Built binaries:"; \ + find $(BUILD_DIR) -type f -name $(BINARY_NAME) \ # Create deb packages for arch in $(DEB_ARCHS); do \ @@ -104,15 +105,16 @@ package: $(PACKAGES_DIR) #### Create final packages for all supported distros done; \ # Package build complete - echo "DEB packages:"; \ - find $(PACKAGES_DIR)/deb ;\ + find $(PACKAGES_DIR)/deb -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; \ echo "RPM packages:"; \ - find $(PACKAGES_DIR)/rpm ;\ + find $(PACKAGES_DIR)/rpm -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; \ echo "APK packages:"; \ - find $(PACKAGES_DIR)/apk ;\ + find $(PACKAGES_DIR)/apk -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; \ # Create tarball containing all packages + @echo "Creating tarball: $(TARBALL_NAME)"; \ + rm -f $(PACKAGES_DIR)/$(TARBALL_NAME); \ pushd $(PACKAGES_DIR) && tar -czvf "./$(TARBALL_NAME)" * && popd; \ .PHONY: gpg-key From f6b404a54d73454e2830550a60c4e19eaede6bc8 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Tue, 30 Sep 2025 13:37:44 +0100 Subject: [PATCH 04/42] perform string substitution when creating files for release packaging --- .nfpm.amd64.yaml | 60 ---------------------------------------------- .nfpm.arm64.yaml | 60 ---------------------------------------------- .nfpm.yaml | 2 +- Makefile.packaging | 3 +++ 4 files changed, 4 insertions(+), 121 deletions(-) delete mode 100644 .nfpm.amd64.yaml delete mode 100644 .nfpm.arm64.yaml diff --git a/.nfpm.amd64.yaml b/.nfpm.amd64.yaml deleted file mode 100644 index 8d7d1e085..000000000 --- a/.nfpm.amd64.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# this is the base "template" for the package -name: nginx-agent -description: NGINX Agent -arch: amd64 -version: ${VERSION} -priority: optional -vendor: NGINX Software, Inc. -maintainer: NGINX Inc. -homepage: https://github.com/nginx/agent -license: Apache 2.0 -contents: - - src: ./build/amd64/nginx-agent - dst: /usr/bin/nginx-agent - - src: nginx-agent.conf - dst: /etc/nginx-agent/nginx-agent.conf - type: config|noreplace - file_info: - mode: 0640 - - src: ./scripts/packages/nginx-agent.service - dst: /etc/systemd/system/nginx-agent.service - - src: ./scripts/packages/nginx-agent.openrc - dst: /etc/init.d/nginx-agent - packager: apk - - src: ./scripts/nginx-agent.logrotate - dst: /etc/logrotate.d/nginx-agent - - src: ./scripts/selinux/nginx_agent_selinux.8 - dst: /usr/share/man/man8/nginx_agent_selinux.8 - packager: rpm - - src: ./scripts/selinux/nginx_agent.if - dst: /usr/share/selinux/devel/include/contrib/nginx_agent.if - packager: rpm - - src: ./scripts/selinux/nginx_agent.pp - dst: /usr/share/selinux/packages/nginx_agent.pp - packager: rpm - - dst: /var/log/nginx-agent - type: dir - - dst: /var/lib/nginx-agent - type: dir -overrides: - deb: - depends: - - apt-transport-https -#deb: -# signature: -# method: dpkg-sig -# key_file: ".key.asc" -#rpm: -# signature: -# key_file: ".key.asc" -apk: -# signature: -# key_file: ".key.rsa" - scripts: - preupgrade: "./scripts/packages/preinstall.sh" - postupgrade: "./scripts/packages/postinstall.sh" -scripts: - preinstall: "./scripts/packages/preinstall.sh" - postinstall: "./scripts/packages/postinstall.sh" - preremove: "./scripts/packages/preremove.sh" - postremove: "./scripts/packages/postremove.sh" diff --git a/.nfpm.arm64.yaml b/.nfpm.arm64.yaml deleted file mode 100644 index 20d635efd..000000000 --- a/.nfpm.arm64.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# this is the base "template" for the package -name: nginx-agent -description: NGINX Agent -arch: arm64 -version: ${VERSION} -priority: optional -vendor: NGINX Software, Inc. -maintainer: NGINX Inc. -homepage: https://github.com/nginx/agent -license: Apache 2.0 -contents: - - src: ./build/arm64/nginx-agent - dst: /usr/bin/nginx-agent - - src: nginx-agent.conf - dst: /etc/nginx-agent/nginx-agent.conf - type: config|noreplace - file_info: - mode: 0640 - - src: ./scripts/packages/nginx-agent.service - dst: /etc/systemd/system/nginx-agent.service - - src: ./scripts/packages/nginx-agent.openrc - dst: /etc/init.d/nginx-agent - packager: apk - - src: ./scripts/nginx-agent.logrotate - dst: /etc/logrotate.d/nginx-agent - - src: ./scripts/selinux/nginx_agent_selinux.8 - dst: /usr/share/man/man8/nginx_agent_selinux.8 - packager: rpm - - src: ./scripts/selinux/nginx_agent.if - dst: /usr/share/selinux/devel/include/contrib/nginx_agent.if - packager: rpm - - src: ./scripts/selinux/nginx_agent.pp - dst: /usr/share/selinux/packages/nginx_agent.pp - packager: rpm - - dst: /var/log/nginx-agent - type: dir - - dst: /var/lib/nginx-agent - type: dir -overrides: - deb: - depends: - - apt-transport-https -#deb: -# signature: -# method: dpkg-sig -# key_file: ".key.asc" -#rpm: -# signature: -# key_file: ".key.asc" -apk: -# signature: -# key_file: ".key.rsa" - scripts: - preupgrade: "./scripts/packages/preinstall.sh" - postupgrade: "./scripts/packages/postinstall.sh" -scripts: - preinstall: "./scripts/packages/preinstall.sh" - postinstall: "./scripts/packages/postinstall.sh" - preremove: "./scripts/packages/preremove.sh" - postremove: "./scripts/packages/postremove.sh" diff --git a/.nfpm.yaml b/.nfpm.yaml index f8a4ac256..3be825754 100644 --- a/.nfpm.yaml +++ b/.nfpm.yaml @@ -9,7 +9,7 @@ maintainer: NGINX Inc. homepage: https://github.com/nginx/agent license: Apache 2.0 contents: - - src: ./build/nginx-agent + - src: ^BUILD_PATH^/nginx-agent dst: /usr/bin/nginx-agent - src: nginx-agent.conf dst: /etc/nginx-agent/nginx-agent.conf diff --git a/Makefile.packaging b/Makefile.packaging index e73afd627..acc6b6510 100644 --- a/Makefile.packaging +++ b/Makefile.packaging @@ -40,10 +40,13 @@ package: $(PACKAGES_DIR) #### Create final packages for all supported distros # Build binaries for both amd64 and arm64 for arch in $(DEB_ARCHS); do \ mkdir -p $(BUILD_DIR)/$${arch}; \ + cp .nfpm.yaml .nfpm.$$arch.yaml; \ + sed -i.bak "s/\^BUILD_PATH\^/\.\/build\/$${arch}/g" ".nfpm.$$arch.yaml"; \ GOWORK=off CGO_ENABLED=0 GOARCH=$${arch} GOOS=linux \ go build -pgo=auto -ldflags=${LDFLAGS} \ -o $(BUILD_DIR)/$${arch}/$(BINARY_NAME) \ $(PROJECT_DIR)/$(PROJECT_FILE); \ + rm -f .nfpm.$$arch.yaml.bak; \ done; \ @echo "Built binaries:"; \ From fe4abebc80f45edee55bc253e3e1fffa796be83f Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Mon, 13 Oct 2025 16:16:53 +0100 Subject: [PATCH 05/42] remove docker build for FreeBSD packager --- .github/workflows/release-branch.yml | 16 ------ scripts/packages/packager/Dockerfile | 28 --------- scripts/packages/packager/local-entrypoint.sh | 51 ----------------- .../packages/packager/signed-entrypoint.sh | 57 ------------------- 4 files changed, 152 deletions(-) delete mode 100644 scripts/packages/packager/Dockerfile delete mode 100644 scripts/packages/packager/local-entrypoint.sh delete mode 100644 scripts/packages/packager/signed-entrypoint.sh diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 3a9be9f4f..0b7755de4 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -232,22 +232,6 @@ jobs: export PATH=$PATH:~/go/bin nfpm --version - - name: Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - - name: Build Docker Image - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - with: - file: scripts/packages/packager/Dockerfile - tags: build-signed-packager:1.0.0 - context: '.' - push: false - load: true - cache-from: type=gha,scope=build-signed-packager - cache-to: type=gha,scope=build-signed-packager,mode=max - build-args: | - package_type=signed-package - - name: Set the VERSION environment variable run: echo VERSION=v${{ inputs.packageVersion }} >> $GITHUB_ENV diff --git a/scripts/packages/packager/Dockerfile b/scripts/packages/packager/Dockerfile deleted file mode 100644 index 9127c8922..000000000 --- a/scripts/packages/packager/Dockerfile +++ /dev/null @@ -1,28 +0,0 @@ -ARG package_type - -FROM docker.io/golang@sha256:62ba6b19de03e891f7fa1001326bd48411f2626ff35e7ba5b9d890711ce581d9 AS base - -ARG PKG_VER="1.17.5" -ARG PKG_DIR="/tmp/pkg" - -RUN apt-get update && \ - apt-get install -y make jq gnupg gnupg1 gpgv1 git aptly debsig-verify createrepo-c dnf rpm \ - curl gettext-base make monkeysphere libtool unzip libssl-dev libbz2-dev libbsd-dev libarchive-dev liblzma-dev zlib1g-dev - -# compile, install pkg tool for linux -RUN mkdir $PKG_DIR; cd $PKG_DIR; \ - go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.32.0; \ - curl -L -o pkg.zip https://github.com/freebsd/pkg/archive/refs/tags/$PKG_VER.zip; \ - unzip -qo pkg.zip; cd pkg-$PKG_VER; ./configure; make -s -j$(nproc); make install; \ - rm -rf $PKG_DIR - -FROM base AS local-package -ADD ./scripts/packages/packager/local-entrypoint.sh /scripts/entrypoint.sh -RUN chmod +x /scripts/entrypoint.sh - -FROM base AS signed-package -ADD ./scripts/packages/packager/signed-entrypoint.sh /scripts/entrypoint.sh -RUN chmod +x /scripts/entrypoint.sh - -FROM ${package_type} AS final -ENTRYPOINT [ "/scripts/entrypoint.sh" ] diff --git a/scripts/packages/packager/local-entrypoint.sh b/scripts/packages/packager/local-entrypoint.sh deleted file mode 100644 index 5080545ed..000000000 --- a/scripts/packages/packager/local-entrypoint.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash - -set -e -set -x -set -euxo pipefail - -VERSION_TAG=$(git describe --match 'v[0-9]*' --abbrev=0 | tr -d 'v') -COMMIT_SHA=$(git rev-parse --short HEAD) -export VERSION=${VERSION:-"${VERSION_TAG}-SNAPSHOT-${COMMIT_SHA}"} - -case "$(uname -m)" in - amd64|x86_64) ABIARCH=amd64 ;; - arm64|aarch64) ABIARCH=aarch64 ;; -esac - -cd /nginx-agent/ - -mkdir -p /staging/usr/local/bin -mkdir -p /staging/usr/local/etc/nginx-agent -mkdir -p /staging/usr/local/etc/rc.d - -cp nginx-agent.conf /staging/usr/local/etc/nginx-agent -cp scripts/packages/nginx-agent /staging/usr/local/etc/rc.d -cp scripts/packages/preinstall.sh /staging/+PRE_INSTALL -cp scripts/packages/postremove.sh /staging/+POST_DEINSTALL -cp scripts/packages/postinstall.sh /staging/+POST_INSTALL -cp scripts/packages/plist /staging -cp build/nginx-agent /staging/usr/local/bin - -chmod +x /staging/usr/local/etc/rc.d/nginx-agent - -# Temporary fix until the follow issue is resolved https://github.com/actions/checkout/issues/1169 -git config --global --add safe.directory /nginx-agent -envsubst < scripts/packages/manifest > /staging/+MANIFEST - -mkdir -p ./build - -pkg -o ABI="FreeBSD:13:${ABIARCH}" create --format txz \ - -m /staging \ - -r /staging \ - -p /staging/plist \ - -o ./build - -# Creating symbolic link from txz to pkg. In older versions of pkg the extension would represent the format of the file -# but since version 1.17.0 pkg will now always create a file with the extesion pkg no matter what the format is. -# See 1.17.0 release notes for more info: https://cgit.freebsd.org/ports/commit/?id=e497a16a286972bfcab908209b11ee6a13d99dc9 -cd build -ln -s "nginx-agent-${VERSION}.pkg" "nginx-agent-${VERSION}.txz" -cd ../ - -rm -rf /staging diff --git a/scripts/packages/packager/signed-entrypoint.sh b/scripts/packages/packager/signed-entrypoint.sh deleted file mode 100644 index d68237b4a..000000000 --- a/scripts/packages/packager/signed-entrypoint.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/bash - -set -e -set -x -set -euxo pipefail - -FREEBSD_DISTROS="FreeBSD:12:amd64 FreeBSD:13:amd64" -VERSION=${VERSION:-""} -if [ -z "${VERSION}" ]; then - VERSION=$(git describe --match 'v[0-9]*' --abbrev=0 | tr -d 'v') -fi -export VERSION - -cd /nginx-agent/ - -mkdir -p ./build/packages/txz -mkdir -p ./build/github/packages -mkdir -p ./build/azure/packages - -mkdir -p staging/usr/local/bin -mkdir -p staging/usr/local/etc/nginx-agent -mkdir -p staging/usr/local/etc/rc.d - -cp nginx-agent.conf staging/usr/local/etc/nginx-agent -cp scripts/packages/nginx-agent staging/usr/local/etc/rc.d -cp scripts/packages/preinstall.sh staging/+PRE_INSTALL -cp scripts/packages/postremove.sh staging/+POST_DEINSTALL -cp scripts/packages/postinstall.sh staging/+POST_INSTALL -cp scripts/packages/plist staging -cp build/nginx-agent staging/usr/local/bin - -chmod +x staging/usr/local/etc/rc.d/nginx-agent - -# Temporary fix until the follow issue is resolved https://github.com/actions/checkout/issues/1169 -git config --global --add safe.directory /nginx-agent -envsubst < scripts/packages/manifest > staging/+MANIFEST - -for freebsd_abi in $FREEBSD_DISTROS; do \ - mkdir -p ./build/packages/txz/"$freebsd_abi"; \ - pkg -o ABI="$freebsd_abi" create --format txz \ - -m staging \ - -r staging \ - -p staging/plist \ - -o ./build/packages/txz/"$freebsd_abi"; \ - # create freebsd pkg repo layout - pkg repo ./build/packages/txz/"$freebsd_abi" .key.rsa; \ - # Creating symbolic link from txz to pkg. In older versions of pkg the extension would represent the format of the file - # but since version 1.17.0 pkg will now always create a file with the extesion pkg no matter what the format is. - # See 1.17.0 release notes for more info: https://cgit.freebsd.org/ports/commit/?id=e497a16a286972bfcab908209b11ee6a13d99dc9 - cd build/packages/txz/"$freebsd_abi"; \ - ln -s nginx-agent-"${VERSION}".pkg nginx-agent-"${VERSION}".txz; \ - cd ../../../../; \ - cp ./build/packages/txz/"$freebsd_abi"/nginx-agent-"${VERSION}".pkg ./build/github/packages/nginx-agent-"${VERSION}"-"$freebsd_abi".pkg; \ - cp ./build/packages/txz/"$freebsd_abi"/nginx-agent-"${VERSION}".pkg ./build/azure/packages/nginx-agent-"${VERSION}"-"${freebsd_abi//:}".pkg; \ -done; \ - -rm -rf /staging From 079c3df00c4354141a319f34c234e17fe4eddd53 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Mon, 13 Oct 2025 17:16:38 +0100 Subject: [PATCH 06/42] perform string sub on architecture var --- .nfpm.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.nfpm.yaml b/.nfpm.yaml index 3be825754..abc2bb7d2 100644 --- a/.nfpm.yaml +++ b/.nfpm.yaml @@ -1,7 +1,7 @@ # this is the base "template" for the package name: nginx-agent description: NGINX Agent -arch: ${ARCH} # Duplicate this file to create .nfpm.amd64.yaml and .nfpm.arm64.yaml with amd64/arm64 values +arch: ^ARCH^ # substituted in Makefile.packaging version: ${VERSION} priority: optional vendor: NGINX Software, Inc. @@ -9,7 +9,7 @@ maintainer: NGINX Inc. homepage: https://github.com/nginx/agent license: Apache 2.0 contents: - - src: ^BUILD_PATH^/nginx-agent + - src: ^BUILD_PATH^/nginx-agent # substituted in Makefile.packaging dst: /usr/bin/nginx-agent - src: nginx-agent.conf dst: /etc/nginx-agent/nginx-agent.conf From 05b23a5ffb3674ba8bb890ce7f970de3434f06cd Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Tue, 14 Oct 2025 09:57:39 +0100 Subject: [PATCH 07/42] update make target --- Makefile.packaging | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/Makefile.packaging b/Makefile.packaging index acc6b6510..8cfee36c3 100644 --- a/Makefile.packaging +++ b/Makefile.packaging @@ -37,26 +37,26 @@ $(PACKAGES_DIR): .PHONY: package package: $(PACKAGES_DIR) #### Create final packages for all supported distros - # Build binaries for both amd64 and arm64 - for arch in $(DEB_ARCHS); do \ + # Build binaries for all supported architectures + @for arch in $(DEB_ARCHS); do \ mkdir -p $(BUILD_DIR)/$${arch}; \ cp .nfpm.yaml .nfpm.$$arch.yaml; \ + sed -i.bak "s/\^ARCH\^/$${arch}/g" ".nfpm.$$arch.yaml"; \ sed -i.bak "s/\^BUILD_PATH\^/\.\/build\/$${arch}/g" ".nfpm.$$arch.yaml"; \ + echo "Building for architecture: $${arch}"; \ GOWORK=off CGO_ENABLED=0 GOARCH=$${arch} GOOS=linux \ go build -pgo=auto -ldflags=${LDFLAGS} \ -o $(BUILD_DIR)/$${arch}/$(BINARY_NAME) \ $(PROJECT_DIR)/$(PROJECT_FILE); \ - rm -f .nfpm.$$arch.yaml.bak; \ + rm -f .nfpm.$$arch.yaml.bak \ + @echo "Binary built: $(BUILD_DIR)/$${arch}/$(BINARY_NAME)"; \ done; \ - @echo "Built binaries:"; \ - find $(BUILD_DIR) -type f -name $(BINARY_NAME) \ - # Create deb packages for arch in $(DEB_ARCHS); do \ for distro in $(DEB_DISTROS); do \ deb_codename=`echo $$distro | cut -d- -f 2`; \ - VERSION=$(PACKAGE_VERSION)~$${deb_codename} nfpm pkg --config .nfpm.$$arch.yaml --packager deb --target ${PACKAGES_DIR}/deb/${PACKAGE_PREFIX}_$(PACKAGE_VERSION)~$${deb_codename}_$${arch}.deb; \ + VERSION=$(PACKAGE_VERSION)~$${deb_codename} nfpm pkg --config .nfpm.$${arch}.yaml --packager deb --target ${PACKAGES_DIR}/deb/${PACKAGE_PREFIX}_$(PACKAGE_VERSION)~$${deb_codename}_$${arch}.deb; \ done; \ done; \ @@ -81,7 +81,7 @@ package: $(PACKAGES_DIR) #### Create final packages for all supported distros rpm_distro=`echo $$distro | cut -d- -f 1`; \ rpm_major=`echo $$distro | cut -d- -f 2`; \ rpm_codename="el$$rpm_major"; \ - VERSION=$(PACKAGE_VERSION) ARCH=$${arch} nfpm pkg --config .nfpm.$$goarch.yaml --packager rpm --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.$${arch}.rpm; \ + VERSION=$(PACKAGE_VERSION) ARCH=$${arch} nfpm pkg --config .nfpm.$${goarch}.yaml --packager rpm --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.$${arch}.rpm; \ done; \ done; \ @@ -108,12 +108,17 @@ package: $(PACKAGES_DIR) #### Create final packages for all supported distros done; \ # Package build complete - echo "DEB packages:"; \ - find $(PACKAGES_DIR)/deb -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; \ - echo "RPM packages:"; \ - find $(PACKAGES_DIR)/rpm -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; \ - echo "APK packages:"; \ - find $(PACKAGES_DIR)/apk -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; \ + @echo "DEB packages:"; \ + @find $(PACKAGES_DIR)/deb -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; \ + @echo "RPM packages:"; \ + @find $(PACKAGES_DIR)/rpm -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; \ + @echo "APK packages:"; \ + @find $(PACKAGES_DIR)/apk -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; \ + + # Clean up temporary nfpm config files + for arch in $(DEB_ARCHS); do \ + rm -f .nfpm.$$arch.yaml; \ + done; \ # Create tarball containing all packages @echo "Creating tarball: $(TARBALL_NAME)"; \ From 18a8109370985cdf7d816173a6c8cb621d3807f2 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Tue, 18 Nov 2025 17:50:58 +0000 Subject: [PATCH 08/42] [skip ci] clean up log output --- Makefile.packaging | 80 ++++++++++++++++++++++++++++------------------ 1 file changed, 49 insertions(+), 31 deletions(-) diff --git a/Makefile.packaging b/Makefile.packaging index b738fb2e2..fb33ff86a 100644 --- a/Makefile.packaging +++ b/Makefile.packaging @@ -37,93 +37,111 @@ $(PACKAGES_DIR): .PHONY: package package: $(PACKAGES_DIR) #### Create final packages for all supported distros - # Build binaries for all supported architectures +# Build binaries for all supported architectures @for arch in $(DEB_ARCHS); do \ mkdir -p $(BUILD_DIR)/$${arch}; \ - cp .nfpm.yaml .nfpm.$$arch.yaml; \ - sed -i.bak "s/\^ARCH\^/$${arch}/g" ".nfpm.$$arch.yaml"; \ - sed -i.bak "s/\^BUILD_PATH\^/\.\/build\/$${arch}/g" ".nfpm.$$arch.yaml"; \ - echo "Building for architecture: $${arch}"; \ + cp .nfpm.yaml .nfpm.$${arch}.yaml; \ + sed -i.bak "s/\^ARCH\^/$${arch}/g" ".nfpm.$${arch}.yaml"; \ + sed -i.bak "s/\^BUILD_PATH\^/\.\/build\/$${arch}/g" ".nfpm.$${arch}.yaml"; \ + echo "Building linux/$${arch}"; \ GOWORK=off CGO_ENABLED=0 GOARCH=$${arch} GOOS=linux \ go build -pgo=auto -ldflags=${LDFLAGS} \ -o $(BUILD_DIR)/$${arch}/$(BINARY_NAME) \ $(PROJECT_DIR)/$(PROJECT_FILE); \ - rm -f .nfpm.$$arch.yaml.bak \ - @echo "Binary built: $(BUILD_DIR)/$${arch}/$(BINARY_NAME)"; \ + rm -f .nfpm.$$arch.yaml.bak; \ + ls -la "$(BUILD_DIR)/$${arch}/$(BINARY_NAME)"; \ done; \ - # Create deb packages - for arch in $(DEB_ARCHS); do \ +# Create deb packages + @for arch in $(DEB_ARCHS); do \ for distro in $(DEB_DISTROS); do \ - deb_codename=`echo $$distro | cut -d- -f 2`; \ - VERSION=$(PACKAGE_VERSION)~$${deb_codename} nfpm pkg --config .nfpm.$${arch}.yaml --packager deb --target ${PACKAGES_DIR}/deb/${PACKAGE_PREFIX}_$(PACKAGE_VERSION)~$${deb_codename}_$${arch}.deb; \ + deb_codename=`echo $${distro} | cut -d- -f 2`; \ + VERSION=$(PACKAGE_VERSION)~$${deb_codename} \ + nfpm pkg --config .nfpm.$${arch}.yaml \ + --packager deb \ + --target ${PACKAGES_DIR}/deb/${PACKAGE_PREFIX}_$(PACKAGE_VERSION)~$${deb_codename}_$${arch}.deb; \ done; \ done; \ - # Create rpm packages - for distro in $(RPM_DISTROS); do \ +# Create rpm packages + @for distro in $(RPM_DISTROS); do \ rpm_distro=`echo $$distro | cut -d- -f 1`; \ rpm_major=`echo $$distro | cut -d- -f 2`; \ rpm_codename='na'; \ if [ "$$rpm_distro" = "suse" ]; then rpm_codename="sles$$rpm_major"; \ fi; \ if [ "$$rpm_codename" != "na" ]; then \ - VERSION=$(PACKAGE_VERSION) ARCH=amd64 nfpm pkg --config .nfpm.amd64.yaml --packager rpm --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.${RPM_ARCH}.rpm; \ + VERSION=$(PACKAGE_VERSION) ARCH=amd64 \ + nfpm pkg --config .nfpm.amd64.yaml \ + --packager rpm \ + --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.${RPM_ARCH}.rpm; \ fi; \ done; \ - # Create redhat rpm packages - for arch in $(REDHAT_ARCHS); do \ +# Create redhat rpm packages + @for arch in $(REDHAT_ARCHS); do \ goarch=amd64; \ if [ "$$arch" = "aarch64" ]; then goarch="arm64"; fi; \ for distro in $(REDHAT_VERSIONS); do \ rpm_distro=`echo $$distro | cut -d- -f 1`; \ rpm_major=`echo $$distro | cut -d- -f 2`; \ rpm_codename="el$$rpm_major"; \ - VERSION=$(PACKAGE_VERSION) ARCH=$${arch} nfpm pkg --config .nfpm.$${goarch}.yaml --packager rpm --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.$${arch}.rpm; \ + VERSION=$(PACKAGE_VERSION) ARCH=$${arch} \ + nfpm pkg --config .nfpm.$${goarch}.yaml \ + --packager rpm \ + --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.$${arch}.rpm; \ done; \ done; \ - # Create amazon rpm packages - for arch in $(AMAZON_ARCHS); do \ +# Create amazon rpm packages + @for arch in $(AMAZON_ARCHS); do \ goarch=amd64; \ if [ "$$arch" = "aarch64" ]; then goarch="arm64"; fi; \ for version in $(AMAZON_VERSIONS); do \ rpm_major=`echo $$version | cut -d- -f 2`; \ rpm_codename="amzn$$rpm_major";\ - VERSION=$(PACKAGE_VERSION) ARCH=$${arch} nfpm pkg --config .nfpm.$$goarch.yaml --packager rpm --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.$${arch}.rpm; \ + VERSION=$(PACKAGE_VERSION) ARCH=$${arch} \ + nfpm pkg --config .nfpm.$$goarch.yaml \ + --packager rpm \ + --target $(PACKAGES_DIR)/rpm/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).$${rpm_codename}.ngx.$${arch}.rpm; \ done; \ done; \ - # Create apk packages +# Create apk packages @for arch in $(APK_ARCHS); do \ goarch=amd64; \ if [ "$$arch" = "aarch64" ]; then goarch="arm64"; fi; \ for version in $(APK_VERSIONS); do \ if [ ! -d "$(PACKAGES_DIR)/apk/v$${version}/$${arch}" ]; then mkdir -p $(PACKAGES_DIR)/apk/v$${version}/$${arch}; fi; \ - VERSION=$(PACKAGE_VERSION) ARCH=$${arch} nfpm pkg --config .nfpm.$$goarch.yaml --packager apk --target $(PACKAGES_DIR)/apk/v$${version}/$${arch}/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).apk; \ + VERSION=$(PACKAGE_VERSION) ARCH=$${arch} \ + nfpm pkg --config .nfpm.$$goarch.yaml \ + --packager apk \ + --target $(PACKAGES_DIR)/apk/v$${version}/$${arch}/${PACKAGE_PREFIX}-$(PACKAGE_VERSION).apk; \ done; \ - done; \ + done; - # Package build complete +# Package build complete @echo "DEB packages:"; \ - @find $(PACKAGES_DIR)/deb -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; \ + find $(PACKAGES_DIR)/deb -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; @echo "RPM packages:"; \ - @find $(PACKAGES_DIR)/rpm -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; \ + find $(PACKAGES_DIR)/rpm -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; @echo "APK packages:"; \ - @find $(PACKAGES_DIR)/apk -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; \ + find $(PACKAGES_DIR)/apk -type f | grep -E "${BINARY_NAME}[-_]${PACKAGE_VERSION}" | sort; - # Clean up temporary nfpm config files - for arch in $(DEB_ARCHS); do \ +# Clean up temporary nfpm config files + @for arch in $(DEB_ARCHS); do \ rm -f .nfpm.$$arch.yaml; \ done; \ - # Create tarball containing all packages +# Create tarball containing all packages @echo "Creating tarball: $(TARBALL_NAME)"; \ rm -f $(PACKAGES_DIR)/$(TARBALL_NAME); \ - pushd $(PACKAGES_DIR) && tar -czvf "./$(TARBALL_NAME)" * && popd; \ + pushd $(PACKAGES_DIR) > /dev/null; \ + tar -czvf "./$(TARBALL_NAME)" *; \ + popd > /dev/null; \ + ls -la $(PACKAGES_DIR)/$(TARBALL_NAME); .PHONY: gpg-key gpg-key: ## Generate GPG public key From e6758c848b5040bc461c1d6f9a7f7829a7ef6ba4 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Wed, 19 Nov 2025 19:02:52 +0000 Subject: [PATCH 09/42] add assertion step to release-branch, sha checksum and build times --- .github/workflows/assertion.yml | 77 ++++++++++++---------------- .github/workflows/release-branch.yml | 22 ++++++-- Makefile.packaging | 11 +++- 3 files changed, 61 insertions(+), 49 deletions(-) diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index 2028cfc48..55373fd13 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -2,13 +2,22 @@ name: Generate and Sign Assertion Document on: - workflow_dispatch: + workflow_call: inputs: - branch: + packageVersion: + required: true + type: string + arm64_sha: + required: true type: string - description: "The branch to run the assertion workflow on" - required: false - default: main + amd64_sha: + required: true + type: string + secrets: + ARTIFACTORY_USER: + required: true + ARTIFACTORY_TOKEN: + required: true jobs: build-assertion-document: @@ -19,47 +28,27 @@ jobs: id-token: write contents: read env: - GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency" - outputs: - agent_binary: ${{ steps.check_binary.outputs.agent_binary }} - goversionm: ${{ steps.godeps.outputs.goversionm }} - assertion_document: ${{ steps.assertiondoc.outputs.assertion-document-path }} + GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL }}" strategy: - matrix: - osarch: [amd64, arm64] + matrix: + osarch: [amd64, arm64] steps: - - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - - - name: Set up Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + - name: Download nginx-agent binaries + uses: actions/download-artifact@v3.0.2 with: - go-version-file: go.mod - cache: false + name: nginx-agent-binaries-${{ inputs.packageVersion }} + path: ./artifacts - name: Gather build dependencies id: godeps run: | - if [ -z ${{inputs.branch}} ]; then - echo "No branch input provided, using current branch: $GITHUB_REF_NAME" - else - echo "Checking out branch: ${{inputs.branch}}" - git checkout ${{inputs.branch}} - fi - echo "Current branch: $GITHUB_REF_NAME" - echo "branch_name=$GITHUB_REF_NAME" >> $GITHUB_ENV - GO_VERSION=$(go version | awk '{print $3}' | sed 's/go//') - echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV - echo "GO_VERSION=$GO_VERSION" - echo "time_start=$(date +%s)" >> $GITHUB_ENV - OSARCH=${{matrix.osarch}} make build - echo "time_end=$(date +%s)" >> $GITHUB_ENV - echo "Build time: $((time_end - time_start)) seconds" - - echo "Getting sha256sum of the built nginx-agent binary..." - echo "agent-digest=$(sha256sum build/nginx-agent | awk '{print $1}')" >> $GITHUB_ENV - + ls -la artifacts/${{ matrix.osarch }} + echo "agent_digest=$(cat artifacts/${{ matrix.osarch }}/nginx-agent.sha256)" >> $GITHUB_ENV + echo "agent_buildstart=$(cat artifacts/${{ matrix.osarch }}/nginx-agent.buildstart)" >> $GITHUB_ENV + echo "agent_buildend=$(cat artifacts/${{ matrix.osarch }}/nginx-agent.buildend)" >> $GITHUB_ENV + echo "Checking dependencies..." - go version -m build/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt + go version -m build/${{ matrix.osarch }}/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt ls -l goversionm_*.txt echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV @@ -67,20 +56,20 @@ jobs: id: assertiondoc uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 with: - artifact-name: nginx-agent_${{ env.branch_name }}_${{ matrix.osarch }} + artifact-name: nginx-agent_${{ github.ref_name }}_${{ matrix.osarch }} artifact-digest: ${{ env.agent-digest }} build-type: 'github' builder-id: 'github.com' builder-version: '${{env.GO_VERSION}}_test' invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }} - artifactory-user: ${{ secrets.ARTIFACTORY_USER }} - artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }} + artifactory-user: ${{ inputs.ARTIFACTORY_USER }} + artifactory-api-token: ${{ inputs.ARTIFACTORY_TOKEN }} artifactory-url: ${{ secrets.ARTIFACTORY_URL }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' - assertion-doc-file: assertion_nginx-agent_${{env.branch_name}}_${{matrix.osarch}}.json + assertion-doc-file: assertion_nginx-agent_${{ github.ref_name }}_${{matrix.osarch}}.json build-content-path: ${{ env.goversionm }} - started-on: '${{ env.time_start }}' - finished-on: '${{ env.time_end }}' + started-on: '${{ env.agent_buildstart }}' + finished-on: '${{ env.agent_buildend }}' - name: Sign and Store Assertion Document id: sign diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index bb883bc3f..4fd2758e5 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -204,8 +204,8 @@ jobs: run: | git push origin "v${{ inputs.packageVersion }}" - upload-packages: - name: Upload packages + build-and-upload-packages: + name: Build and upload release packages runs-on: ubuntu-22.04-amd64 needs: [vars,release-draft,tag-release] permissions: @@ -243,9 +243,17 @@ jobs: PACKAGE_BUILD: ${{ inputs.packageBuildNo }} run: | export PATH=$PATH:~/go/bin + echo "$GPG_KEY" | base64 --decode > ${NFPM_SIGNING_KEY_FILE} make package + - name: Archive Binaries + uses: actions/upload-artifact@v3.1.2 # v3.1.2 + with: + name: nginx-agent-binaries-${{ inputs.packageVersion }} + path: | + build/a*64 + - name: Install GPG tools if: ${{ inputs.publishPackages == true }} run: | @@ -261,7 +269,7 @@ jobs: let id_token = await core.getIDToken() core.setOutput('id_token', id_token) - - name: Publish Release Packages + - name: Upload Release Packages if: ${{ inputs.publishPackages == true }} env: TOKEN: ${{ steps.idtoken.outputs.id_token }} @@ -269,6 +277,14 @@ jobs: run: | make release + - name: Generate assertion documents + uses: .github/workflows/assertion.yml@${{ github.ref_name }} + continue-on-error: true + secrets: + ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} + ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} + ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL_PROD }} + merge-release: if: ${{ needs.vars.outputs.create_pull_request == 'true' }} name: Merge release branch back into main branch diff --git a/Makefile.packaging b/Makefile.packaging index fb33ff86a..4823c4a7a 100644 --- a/Makefile.packaging +++ b/Makefile.packaging @@ -36,7 +36,6 @@ $(PACKAGES_DIR): .PHONY: package package: $(PACKAGES_DIR) #### Create final packages for all supported distros - # Build binaries for all supported architectures @for arch in $(DEB_ARCHS); do \ mkdir -p $(BUILD_DIR)/$${arch}; \ @@ -44,12 +43,20 @@ package: $(PACKAGES_DIR) #### Create final packages for all supported distros sed -i.bak "s/\^ARCH\^/$${arch}/g" ".nfpm.$${arch}.yaml"; \ sed -i.bak "s/\^BUILD_PATH\^/\.\/build\/$${arch}/g" ".nfpm.$${arch}.yaml"; \ echo "Building linux/$${arch}"; \ + start_time=$$(date +%s); \ GOWORK=off CGO_ENABLED=0 GOARCH=$${arch} GOOS=linux \ go build -pgo=auto -ldflags=${LDFLAGS} \ -o $(BUILD_DIR)/$${arch}/$(BINARY_NAME) \ $(PROJECT_DIR)/$(PROJECT_FILE); \ - rm -f .nfpm.$$arch.yaml.bak; \ + end_time=$$(date +%s); \ + rm -f .nfpm.$${arch}.yaml.bak; \ + sha256sum build/$${arch}/nginx-agent | awk '{print $$1}' > $(BUILD_DIR)/$${arch}/$(BINARY_NAME).sha256; \ + echo $${start_time} > $(BUILD_DIR)/$${arch}/$(BINARY_NAME).buildstart; \ + echo $${end_time} > $(BUILD_DIR)/$${arch}/$(BINARY_NAME).buildend; \ + echo "Built binary:"; \ ls -la "$(BUILD_DIR)/$${arch}/$(BINARY_NAME)"; \ + cat $(BUILD_DIR)/$${arch}/$(BINARY_NAME).sha256; \ + echo "Built took "$$((end_time - start_time))" seconds"; \ done; \ # Create deb packages From 5fb958748e98642709022cc685cf34204894abc3 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Wed, 19 Nov 2025 19:14:04 +0000 Subject: [PATCH 10/42] archive the binaries for generating assertion doc --- .github/workflows/assertion.yml | 20 ++++++++------------ .github/workflows/release-branch.yml | 11 ++++++++--- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index 55373fd13..f2c26ec2b 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -4,13 +4,7 @@ name: Generate and Sign Assertion Document on: workflow_call: inputs: - packageVersion: - required: true - type: string - arm64_sha: - required: true - type: string - amd64_sha: + artifact_name: required: true type: string secrets: @@ -18,6 +12,8 @@ on: required: true ARTIFACTORY_TOKEN: required: true + ARTIFACTORY_URL: + required: true jobs: build-assertion-document: @@ -36,16 +32,16 @@ jobs: - name: Download nginx-agent binaries uses: actions/download-artifact@v3.0.2 with: - name: nginx-agent-binaries-${{ inputs.packageVersion }} + name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} path: ./artifacts - name: Gather build dependencies id: godeps run: | - ls -la artifacts/${{ matrix.osarch }} - echo "agent_digest=$(cat artifacts/${{ matrix.osarch }}/nginx-agent.sha256)" >> $GITHUB_ENV - echo "agent_buildstart=$(cat artifacts/${{ matrix.osarch }}/nginx-agent.buildstart)" >> $GITHUB_ENV - echo "agent_buildend=$(cat artifacts/${{ matrix.osarch }}/nginx-agent.buildend)" >> $GITHUB_ENV + ls -la artifacts + echo "agent_digest=$(cat artifacts/nginx-agent.sha256)" >> $GITHUB_ENV + echo "agent_buildstart=$(cat artifacts/nginx-agent.buildstart)" >> $GITHUB_ENV + echo "agent_buildend=$(cat artifacts/nginx-agent.buildend)" >> $GITHUB_ENV echo "Checking dependencies..." go version -m build/${{ matrix.osarch }}/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 4fd2758e5..a2158a0eb 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -249,10 +249,15 @@ jobs: - name: Archive Binaries uses: actions/upload-artifact@v3.1.2 # v3.1.2 + matrix: + osarch: [amd64, arm64] with: - name: nginx-agent-binaries-${{ inputs.packageVersion }} + name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} path: | - build/a*64 + build/${{ matrix.osarch }}/nginx-agent + build/${{ matrix.osarch }}/nginx-agent.sha256 + build/${{ matrix.osarch }}/nginx-agent.buildstart + build/${{ matrix.osarch }}/nginx-agent.buildend - name: Install GPG tools if: ${{ inputs.publishPackages == true }} @@ -280,7 +285,7 @@ jobs: - name: Generate assertion documents uses: .github/workflows/assertion.yml@${{ github.ref_name }} continue-on-error: true - secrets: + with: ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL_PROD }} From b8cdcf9b9e15f670e0420158859e2cf439f51f19 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Wed, 19 Nov 2025 19:16:42 +0000 Subject: [PATCH 11/42] remove matrix from step --- .github/workflows/release-branch.yml | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index a2158a0eb..a8deb97d7 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -247,17 +247,25 @@ jobs: echo "$GPG_KEY" | base64 --decode > ${NFPM_SIGNING_KEY_FILE} make package - - name: Archive Binaries + - name: Archive AMD64 Binaries uses: actions/upload-artifact@v3.1.2 # v3.1.2 - matrix: - osarch: [amd64, arm64] with: - name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} + name: nginx-agent-binaries-${{ inputs.packageVersion }}-amd64 path: | - build/${{ matrix.osarch }}/nginx-agent - build/${{ matrix.osarch }}/nginx-agent.sha256 - build/${{ matrix.osarch }}/nginx-agent.buildstart - build/${{ matrix.osarch }}/nginx-agent.buildend + build/amd64/nginx-agent + build/amd64/nginx-agent.sha256 + build/amd64/nginx-agent.buildstart + build/amd64/nginx-agent.buildend + + - name: Archive ARM64 Binaries + uses: actions/upload-artifact@v3.1.2 # v3.1.2 + with: + name: nginx-agent-binaries-${{ inputs.packageVersion }}-arm64 + path: | + build/arm64/nginx-agent + build/arm64/nginx-agent.sha256 + build/arm64/nginx-agent.buildstart + build/arm64/nginx-agent.buildend - name: Install GPG tools if: ${{ inputs.publishPackages == true }} From 8fe87cc4f36a22bf5fdf88bd4521465384b77c17 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Wed, 19 Nov 2025 19:17:43 +0000 Subject: [PATCH 12/42] fix ref --- .github/workflows/release-branch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index a8deb97d7..c5416081f 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -291,7 +291,7 @@ jobs: make release - name: Generate assertion documents - uses: .github/workflows/assertion.yml@${{ github.ref_name }} + uses: .github/workflows/assertion.yml@improve-assertion-doc-generation continue-on-error: true with: ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} From 8a92156f1f160b824b165b7626c0a6232c2d386b Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Wed, 19 Nov 2025 19:25:34 +0000 Subject: [PATCH 13/42] use a relative path for reusable action --- .github/workflows/release-branch.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index c5416081f..0793b2b89 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -85,6 +85,7 @@ jobs: name: Update Release Draft runs-on: ubuntu-22.04 needs: [vars] + if: ${{ needs.vars.outputs.github_release == 'true' }} permissions: contents: write # Needed to create draft release outputs: @@ -99,7 +100,6 @@ jobs: uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 - name: Create Draft Release - if: ${{ needs.vars.outputs.github_release == 'true' }} uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 id: release env: @@ -184,6 +184,7 @@ jobs: name: Tag Release runs-on: ubuntu-22.04 needs: [vars,release-draft] + if: ${{ needs.vars.outputs.tag_release == 'true' }} permissions: contents: write steps: @@ -196,11 +197,9 @@ jobs: run: | git config --global user.name 'github-actions' git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com' - git tag -a "v${{ inputs.packageVersion }}" -m "CI Autogenerated" - name: Push Tags - if: ${{ needs.vars.outputs.tag_release == 'true' }} run: | git push origin "v${{ inputs.packageVersion }}" @@ -291,7 +290,7 @@ jobs: make release - name: Generate assertion documents - uses: .github/workflows/assertion.yml@improve-assertion-doc-generation + uses: ./github/workflows/assertion.yml continue-on-error: true with: ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} From 2096b5d356c8ef36fd14c150603bce836568c80c Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Wed, 19 Nov 2025 19:29:32 +0000 Subject: [PATCH 14/42] add package version to call --- .github/workflows/release-branch.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 0793b2b89..c6c62626d 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -281,7 +281,7 @@ jobs: let id_token = await core.getIDToken() core.setOutput('id_token', id_token) - - name: Upload Release Packages + - name: Upload Release Packages to NGINX repo if: ${{ inputs.publishPackages == true }} env: TOKEN: ${{ steps.idtoken.outputs.id_token }} @@ -290,9 +290,11 @@ jobs: make release - name: Generate assertion documents - uses: ./github/workflows/assertion.yml + uses: ./.github/workflows/assertion.yml continue-on-error: true with: + packageVersion: ${{ inputs.packageVersion }} + secrets: ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL_PROD }} From 79bc3ce19df55b5571714c7a3d453abde94a2394 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Wed, 19 Nov 2025 19:30:43 +0000 Subject: [PATCH 15/42] remove secrets --- .github/workflows/release-branch.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index c6c62626d..2ed90eb38 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -294,7 +294,6 @@ jobs: continue-on-error: true with: packageVersion: ${{ inputs.packageVersion }} - secrets: ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL_PROD }} From 0a8f631a07ad61f4e63ea19c547f20e494c00b79 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 10:49:18 +0000 Subject: [PATCH 16/42] [skip ci] swap runner for test --- .github/workflows/release-branch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 2ed90eb38..b9dafc1cf 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -205,7 +205,7 @@ jobs: build-and-upload-packages: name: Build and upload release packages - runs-on: ubuntu-22.04-amd64 + runs-on: ubuntu-22.04 needs: [vars,release-draft,tag-release] permissions: id-token: write From 7504aad917cfe0778f9dff52abf69defcdcdf0b2 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 10:54:33 +0000 Subject: [PATCH 17/42] [skip ci] fix flow --- .github/workflows/release-branch.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index b9dafc1cf..275d3b1d4 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -93,10 +93,12 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + if: ${{ needs.vars.outputs.github_release == 'true' }} with: ref: ${{ inputs.releaseBranch }} - name: Setup Node Environment + if: ${{ needs.vars.outputs.github_release == 'true' }} uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 - name: Create Draft Release @@ -176,6 +178,7 @@ jobs: - name: Set Environment Variables id: vars + if: ${{ needs.vars.outputs.github_release == 'true' }} run: | echo "RELEASE_ID=$(echo '${{steps.release.outputs.result}}' | jq -r '.release_id')" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT @@ -184,22 +187,24 @@ jobs: name: Tag Release runs-on: ubuntu-22.04 needs: [vars,release-draft] - if: ${{ needs.vars.outputs.tag_release == 'true' }} permissions: contents: write steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + if: ${{ needs.vars.outputs.tag_release == 'true' }} with: ref: ${{ inputs.releaseBranch }} - name: Tag release + if: ${{ needs.vars.outputs.tag_release == 'true' }} run: | git config --global user.name 'github-actions' git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com' git tag -a "v${{ inputs.packageVersion }}" -m "CI Autogenerated" - name: Push Tags + if: ${{ needs.vars.outputs.tag_release == 'true' }} run: | git push origin "v${{ inputs.packageVersion }}" From 08b82d602b135705f572a03e9df850211f935b59 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 10:55:43 +0000 Subject: [PATCH 18/42] [skip ci] fix flow --- .github/workflows/release-branch.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 275d3b1d4..adba697d7 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -85,7 +85,6 @@ jobs: name: Update Release Draft runs-on: ubuntu-22.04 needs: [vars] - if: ${{ needs.vars.outputs.github_release == 'true' }} permissions: contents: write # Needed to create draft release outputs: From a7268aa3cd646cf352f4948cb368525f943346a6 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 11:04:41 +0000 Subject: [PATCH 19/42] update actions versions for artifacts --- .github/workflows/release-branch.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index adba697d7..cfbeb89ce 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -251,7 +251,7 @@ jobs: make package - name: Archive AMD64 Binaries - uses: actions/upload-artifact@v3.1.2 # v3.1.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: nginx-agent-binaries-${{ inputs.packageVersion }}-amd64 path: | @@ -261,7 +261,7 @@ jobs: build/amd64/nginx-agent.buildend - name: Archive ARM64 Binaries - uses: actions/upload-artifact@v3.1.2 # v3.1.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: nginx-agent-binaries-${{ inputs.packageVersion }}-arm64 path: | From ab1f40f96150d95e71fb454558234809f2eee9f8 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 11:47:39 +0000 Subject: [PATCH 20/42] [skip ci] more log output when archiving binaries --- .github/workflows/assertion.yml | 14 ++++++++++---- .github/workflows/release-branch.yml | 25 +++++++++++-------------- 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index f2c26ec2b..299c8ca13 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -4,9 +4,10 @@ name: Generate and Sign Assertion Document on: workflow_call: inputs: - artifact_name: - required: true + packageVersion: + description: 'Agent version' type: string + required: true secrets: ARTIFACTORY_USER: required: true @@ -29,8 +30,13 @@ jobs: matrix: osarch: [amd64, arm64] steps: + - name: Checkout Repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + ref: refs/heads/improve-assertion-doc-generation + - name: Download nginx-agent binaries - uses: actions/download-artifact@v3.0.2 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 with: name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} path: ./artifacts @@ -60,7 +66,7 @@ jobs: invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }} artifactory-user: ${{ inputs.ARTIFACTORY_USER }} artifactory-api-token: ${{ inputs.ARTIFACTORY_TOKEN }} - artifactory-url: ${{ secrets.ARTIFACTORY_URL }} + artifactory-url: ${{ inputs.ARTIFACTORY_URL }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' assertion-doc-file: assertion_nginx-agent_${{ github.ref_name }}_${{matrix.osarch}}.json build-content-path: ${{ env.goversionm }} diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index cfbeb89ce..8dd934198 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -102,6 +102,7 @@ jobs: - name: Create Draft Release uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + if: ${{ needs.vars.outputs.github_release == 'true' }} id: release env: version: ${{ inputs.packageVersion }} @@ -201,10 +202,6 @@ jobs: git config --global user.name 'github-actions' git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com' git tag -a "v${{ inputs.packageVersion }}" -m "CI Autogenerated" - - - name: Push Tags - if: ${{ needs.vars.outputs.tag_release == 'true' }} - run: | git push origin "v${{ inputs.packageVersion }}" build-and-upload-packages: @@ -246,9 +243,9 @@ jobs: PACKAGE_BUILD: ${{ inputs.packageBuildNo }} run: | export PATH=$PATH:~/go/bin - echo "$GPG_KEY" | base64 --decode > ${NFPM_SIGNING_KEY_FILE} make package + find build/ -type f -name "nginx-agent*" - name: Archive AMD64 Binaries uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 @@ -269,6 +266,15 @@ jobs: build/arm64/nginx-agent.sha256 build/arm64/nginx-agent.buildstart build/arm64/nginx-agent.buildend + + - name: Generate assertion documents + uses: ./.github/workflows/assertion.yml + continue-on-error: true + with: + packageVersion: ${{ inputs.packageVersion }} + ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} + ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} + ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL_PROD }} - name: Install GPG tools if: ${{ inputs.publishPackages == true }} @@ -293,15 +299,6 @@ jobs: run: | make release - - name: Generate assertion documents - uses: ./.github/workflows/assertion.yml - continue-on-error: true - with: - packageVersion: ${{ inputs.packageVersion }} - ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} - ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} - ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL_PROD }} - merge-release: if: ${{ needs.vars.outputs.create_pull_request == 'true' }} name: Merge release branch back into main branch From c9ea9c0098e5775eeaa147068790b31d2ba7b702 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 11:53:19 +0000 Subject: [PATCH 21/42] [skip ci] run from this branch for test --- .github/workflows/release-branch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 8dd934198..eba2358d6 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -69,7 +69,7 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - ref: ${{ inputs.releaseBranch }} + ref: improve-assertion-doc-generation - name: Set variables id: vars From c22b6e846caac4a5f6d6868872fc9ebec17161f5 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 11:56:08 +0000 Subject: [PATCH 22/42] [skip ci] run from this branch for test --- .github/workflows/release-branch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index eba2358d6..5f04c7dc6 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -215,7 +215,7 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - ref: ${{ inputs.releaseBranch }} + ref: improve-assertion-doc-generation - name: Setup go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 From a788cb70419cf66fbdd273c97e10b670d051ee3f Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 11:56:53 +0000 Subject: [PATCH 23/42] [skip ci] run from this branch for test --- .github/workflows/release-branch.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 5f04c7dc6..688ad5fca 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -94,11 +94,7 @@ jobs: uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: ${{ needs.vars.outputs.github_release == 'true' }} with: - ref: ${{ inputs.releaseBranch }} - - - name: Setup Node Environment - if: ${{ needs.vars.outputs.github_release == 'true' }} - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 + ref: improve-assertion-doc-generation - name: Create Draft Release uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -194,7 +190,7 @@ jobs: uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: ${{ needs.vars.outputs.tag_release == 'true' }} with: - ref: ${{ inputs.releaseBranch }} + ref: improve-assertion-doc-generation - name: Tag release if: ${{ needs.vars.outputs.tag_release == 'true' }} From 2ad673da0849726868705027f38bd355e422b759 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 12:06:30 +0000 Subject: [PATCH 24/42] [skip ci] add back gpg key gen --- Makefile.packaging | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.packaging b/Makefile.packaging index 4823c4a7a..4ba99aa79 100644 --- a/Makefile.packaging +++ b/Makefile.packaging @@ -35,7 +35,7 @@ $(PACKAGES_DIR): @mkdir -p $(PACKAGES_DIR)/deb && mkdir -p $(PACKAGES_DIR)/rpm && mkdir -p $(PACKAGES_DIR)/apk .PHONY: package -package: $(PACKAGES_DIR) #### Create final packages for all supported distros +package: gpg-key $(PACKAGES_DIR) #### Create final packages for all supported distros # Build binaries for all supported architectures @for arch in $(DEB_ARCHS); do \ mkdir -p $(BUILD_DIR)/$${arch}; \ From b5fdc379649e854823e2fe640c76fda1ac5299e2 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 12:17:14 +0000 Subject: [PATCH 25/42] [skip ci] fix tarball path, use cd instead of popd --- Makefile.packaging | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile.packaging b/Makefile.packaging index 4ba99aa79..09b018083 100644 --- a/Makefile.packaging +++ b/Makefile.packaging @@ -145,9 +145,9 @@ package: gpg-key $(PACKAGES_DIR) #### Create final packages for all supported di # Create tarball containing all packages @echo "Creating tarball: $(TARBALL_NAME)"; \ rm -f $(PACKAGES_DIR)/$(TARBALL_NAME); \ - pushd $(PACKAGES_DIR) > /dev/null; \ + cd $(PACKAGES_DIR); \ tar -czvf "./$(TARBALL_NAME)" *; \ - popd > /dev/null; \ + cd ../.. \ ls -la $(PACKAGES_DIR)/$(TARBALL_NAME); .PHONY: gpg-key From 3947e33bac6647ba1d88b9dcc97d139937c742ed Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 12:36:49 +0000 Subject: [PATCH 26/42] [skip ci] move assertion doc gen into release-branch.yml --- .github/workflows/assertion.yml | 42 +---------------- .github/workflows/release-branch.yml | 67 ++++++++++++++++++++++++---- 2 files changed, 60 insertions(+), 49 deletions(-) diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index 299c8ca13..6a9b59309 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -18,7 +18,7 @@ on: jobs: build-assertion-document: - name: Build and Generate Assertion Document + name: Create Assertion Document runs-on: ubuntu-22.04 if: ${{ !github.event.pull_request.head.repo.fork }} permissions: @@ -33,48 +33,10 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: - ref: refs/heads/improve-assertion-doc-generation + ref: improve-assertion-doc-generation - name: Download nginx-agent binaries uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 with: name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} path: ./artifacts - - - name: Gather build dependencies - id: godeps - run: | - ls -la artifacts - echo "agent_digest=$(cat artifacts/nginx-agent.sha256)" >> $GITHUB_ENV - echo "agent_buildstart=$(cat artifacts/nginx-agent.buildstart)" >> $GITHUB_ENV - echo "agent_buildend=$(cat artifacts/nginx-agent.buildend)" >> $GITHUB_ENV - - echo "Checking dependencies..." - go version -m build/${{ matrix.osarch }}/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt - ls -l goversionm_*.txt - echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV - - - name: Generate Assertion Document - id: assertiondoc - uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 - with: - artifact-name: nginx-agent_${{ github.ref_name }}_${{ matrix.osarch }} - artifact-digest: ${{ env.agent-digest }} - build-type: 'github' - builder-id: 'github.com' - builder-version: '${{env.GO_VERSION}}_test' - invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }} - artifactory-user: ${{ inputs.ARTIFACTORY_USER }} - artifactory-api-token: ${{ inputs.ARTIFACTORY_TOKEN }} - artifactory-url: ${{ inputs.ARTIFACTORY_URL }} - artifactory-repo: 'f5-nginx-go-local-approved-dependency' - assertion-doc-file: assertion_nginx-agent_${{ github.ref_name }}_${{matrix.osarch}}.json - build-content-path: ${{ env.goversionm }} - started-on: '${{ env.agent_buildstart }}' - finished-on: '${{ env.agent_buildend }}' - - - name: Sign and Store Assertion Document - id: sign - uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 - with: - assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 688ad5fca..30f8297ae 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -262,15 +262,6 @@ jobs: build/arm64/nginx-agent.sha256 build/arm64/nginx-agent.buildstart build/arm64/nginx-agent.buildend - - - name: Generate assertion documents - uses: ./.github/workflows/assertion.yml - continue-on-error: true - with: - packageVersion: ${{ inputs.packageVersion }} - ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} - ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} - ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL_PROD }} - name: Install GPG tools if: ${{ inputs.publishPackages == true }} @@ -295,6 +286,64 @@ jobs: run: | make release + assertion-document: + name: Build and Generate Assertion Document + runs-on: ubuntu-22.04 + needs: [build-and-upload-packages] + permissions: + contents: read + strategy: + matrix: + osarch: [amd64, arm64] + steps: + - name: Checkout Repository + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + ref: improve-assertion-doc-generation + + - name: Download nginx-agent binaries + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 + with: + name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} + + - name: Gather build dependencies + id: godeps + run: | + ls -la artifacts + echo "agent_digest=$(cat artifacts/nginx-agent.sha256)" >> $GITHUB_ENV + echo "agent_buildstart=$(cat artifacts/nginx-agent.buildstart)" >> $GITHUB_ENV + echo "agent_buildend=$(cat artifacts/nginx-agent.buildend)" >> $GITHUB_ENV + + echo "Checking dependencies..." + go version -m build/${{ matrix.osarch }}/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt + ls -l goversionm_*.txt + echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV + + - name: Generate Assertion Document + id: assertiondoc + uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 + with: + artifact-name: nginx-agent_${{ github.ref_name }}_${{ matrix.osarch }} + artifact-digest: ${{ env.agent-digest }} + build-type: 'github' + builder-id: 'github.com' + builder-version: '${{env.GO_VERSION}}_test' + invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }} + artifactory-user: ${{ inputs.ARTIFACTORY_USER }} + artifactory-api-token: ${{ inputs.ARTIFACTORY_TOKEN }} + artifactory-url: ${{ inputs.ARTIFACTORY_URL }} + artifactory-repo: 'f5-nginx-go-local-approved-dependency' + assertion-doc-file: assertion_nginx-agent_${{ github.ref_name }}_${{matrix.osarch}}.json + build-content-path: ${{ env.goversionm }} + started-on: '${{ env.agent_buildstart }}' + finished-on: '${{ env.agent_buildend }}' + + - name: Sign and Store Assertion Document + id: sign + uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 + with: + assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} + merge-release: if: ${{ needs.vars.outputs.create_pull_request == 'true' }} name: Merge release branch back into main branch From 4d2c4a4c9151d08974eb8f061ea0eca247502f9f Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 12:49:39 +0000 Subject: [PATCH 27/42] [skip ci] install go for assertion doc job --- .github/workflows/release-branch.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 30f8297ae..dfe3d800a 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -221,6 +221,7 @@ jobs: - name: Setup package build environment run: | + go mod tidy go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }} sudo apt-get update sudo apt-get install -y gpgv1 monkeysphere @@ -301,18 +302,25 @@ jobs: with: ref: improve-assertion-doc-generation + - name: Setup go + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + with: + go-version-file: 'go.mod' + cache: false + - name: Download nginx-agent binaries uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 with: - name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} + name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }}] + path: binaries - name: Gather build dependencies id: godeps run: | - ls -la artifacts - echo "agent_digest=$(cat artifacts/nginx-agent.sha256)" >> $GITHUB_ENV - echo "agent_buildstart=$(cat artifacts/nginx-agent.buildstart)" >> $GITHUB_ENV - echo "agent_buildend=$(cat artifacts/nginx-agent.buildend)" >> $GITHUB_ENV + ls -la binaries + echo "agent_digest=$(cat binaries/nginx-agent.sha256)" >> $GITHUB_ENV + echo "agent_buildstart=$(cat binaries/nginx-agent.buildstart)" >> $GITHUB_ENV + echo "agent_buildend=$(cat binaries/nginx-agent.buildend)" >> $GITHUB_ENV echo "Checking dependencies..." go version -m build/${{ matrix.osarch }}/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt From 3bbcde4eee93f4b67dcaf41a70b24b5430078870 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 12:54:10 +0000 Subject: [PATCH 28/42] [skip ci] use go mod download --- .github/workflows/release-branch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index dfe3d800a..b168ff272 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -221,7 +221,7 @@ jobs: - name: Setup package build environment run: | - go mod tidy + go mod download go install github.com/goreleaser/nfpm/v2/cmd/nfpm@${{ env.NFPM_VERSION }} sudo apt-get update sudo apt-get install -y gpgv1 monkeysphere From a357657514903ee00959b13225c80a15e1b0ecf5 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 13:15:01 +0000 Subject: [PATCH 29/42] [skip ci] --- .github/workflows/release-branch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index b168ff272..127ceab12 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -311,7 +311,7 @@ jobs: - name: Download nginx-agent binaries uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 with: - name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }}] + name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} path: binaries - name: Gather build dependencies From 4b1e77f0ebdba24d7defe15301beafd2cf702227 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 13:24:49 +0000 Subject: [PATCH 30/42] [skip ci] --- .github/workflows/release-branch.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 127ceab12..c37945b85 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -323,7 +323,7 @@ jobs: echo "agent_buildend=$(cat binaries/nginx-agent.buildend)" >> $GITHUB_ENV echo "Checking dependencies..." - go version -m build/${{ matrix.osarch }}/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt + go version -m binaries/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt ls -l goversionm_*.txt echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV @@ -331,7 +331,7 @@ jobs: id: assertiondoc uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 with: - artifact-name: nginx-agent_${{ github.ref_name }}_${{ matrix.osarch }} + artifact-name: nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }} artifact-digest: ${{ env.agent-digest }} build-type: 'github' builder-id: 'github.com' @@ -341,7 +341,7 @@ jobs: artifactory-api-token: ${{ inputs.ARTIFACTORY_TOKEN }} artifactory-url: ${{ inputs.ARTIFACTORY_URL }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' - assertion-doc-file: assertion_nginx-agent_${{ github.ref_name }}_${{matrix.osarch}}.json + assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json build-content-path: ${{ env.goversionm }} started-on: '${{ env.agent_buildstart }}' finished-on: '${{ env.agent_buildend }}' From d075e1b4651901e549e28e0a7f5ac2a042b675ad Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 13:35:53 +0000 Subject: [PATCH 31/42] [skip ci] add artifactory creds --- .github/workflows/release-branch.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index c37945b85..608a4955d 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -291,6 +291,7 @@ jobs: name: Build and Generate Assertion Document runs-on: ubuntu-22.04 needs: [build-and-upload-packages] + continue-on-error: true permissions: contents: read strategy: @@ -337,9 +338,9 @@ jobs: builder-id: 'github.com' builder-version: '${{env.GO_VERSION}}_test' invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }} - artifactory-user: ${{ inputs.ARTIFACTORY_USER }} - artifactory-api-token: ${{ inputs.ARTIFACTORY_TOKEN }} - artifactory-url: ${{ inputs.ARTIFACTORY_URL }} + artifactory-user: ${{ secrets.ARTIFACTORY_USER }} + artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }} + artifactory-url: ${{ secrets.ARTIFACTORY_URL }} artifactory-repo: 'f5-nginx-go-local-approved-dependency' assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json build-content-path: ${{ env.goversionm }} From 520fe85375f08c5cbe0be94f7707a80265ae18d8 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 14:06:53 +0000 Subject: [PATCH 32/42] make assertion optional --- .github/workflows/release-branch.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 608a4955d..300a6b48f 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -17,11 +17,11 @@ on: type: string uploadAzure: description: 'Publish packages Azure storage' - default: true + default: false type: boolean publishPackages: description: 'Publish packages to nginx repo' - default: true + default: false type: boolean tagRelease: description: 'Add tag to release branch' @@ -39,6 +39,11 @@ on: description: 'Location to publish packages to' required: false default: "https://up-ap.nginx.com" + type: string + assertionDoc: + description: 'Generate assertion document' + default: false + type: boolean env: NFPM_VERSION: 'v2.35.3' @@ -291,6 +296,7 @@ jobs: name: Build and Generate Assertion Document runs-on: ubuntu-22.04 needs: [build-and-upload-packages] + if : ${{ inputs.assertionDoc == true }} continue-on-error: true permissions: contents: read From 256b4a2b912fa509456b9bc6b69903d16cef971a Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 14:13:28 +0000 Subject: [PATCH 33/42] call reusable assertion workflow --- .github/workflows/assertion.yml | 48 +++++++++++++++++++- .github/workflows/release-branch.yml | 68 +++------------------------- 2 files changed, 53 insertions(+), 63 deletions(-) diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index 6a9b59309..4a3cacb30 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -1,4 +1,3 @@ - name: Generate and Sign Assertion Document on: @@ -22,7 +21,7 @@ jobs: runs-on: ubuntu-22.04 if: ${{ !github.event.pull_request.head.repo.fork }} permissions: - id-token: write + id-token: read contents: read env: GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL }}" @@ -35,8 +34,53 @@ jobs: with: ref: improve-assertion-doc-generation + - name: Setup go + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + with: + go-version-file: 'go.mod' + cache: false + - name: Download nginx-agent binaries uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 with: name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} + path: binaries + + - name: Gather build dependencies + id: godeps + run: | + ls -la binaries + echo "agent_digest=$(cat binaries/nginx-agent.sha256)" >> $GITHUB_ENV + echo "agent_buildstart=$(cat binaries/nginx-agent.buildstart)" >> $GITHUB_ENV + echo "agent_buildend=$(cat binaries/nginx-agent.buildend)" >> $GITHUB_ENV + + echo "Checking dependencies..." + go version -m binaries/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt + ls -l goversionm_*.txt + echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV + + - name: Generate Assertion Document + id: assertiondoc + uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 + with: + artifact-name: nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }} + artifact-digest: ${{ env.agent-digest }} + build-type: 'github' + builder-id: 'github.com' + builder-version: '${{env.GO_VERSION}}_test' + invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }} + artifactory-user: ${{ secrets.ARTIFACTORY_USER }} + artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }} + artifactory-url: ${{ secrets.ARTIFACTORY_URL }} + artifactory-repo: 'f5-nginx-go-local-approved-dependency' + assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json + build-content-path: ${{ env.goversionm }} + started-on: '${{ env.agent_buildstart }}' + finished-on: '${{ env.agent_buildend }}' + + - name: Sign and Store Assertion Document + id: sign + uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 + with: + assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} path: ./artifacts diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 300a6b48f..3b9180c75 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -294,70 +294,16 @@ jobs: assertion-document: name: Build and Generate Assertion Document - runs-on: ubuntu-22.04 needs: [build-and-upload-packages] if : ${{ inputs.assertionDoc == true }} - continue-on-error: true - permissions: - contents: read - strategy: - matrix: - osarch: [amd64, arm64] - steps: - - name: Checkout Repository - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: improve-assertion-doc-generation - - - name: Setup go - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 - with: - go-version-file: 'go.mod' - cache: false + uses: ./.github/workflows/assertion.yml + with: + packageVersion: ${{ inputs.packageVersion }} + secrets: + ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} + ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} + ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL }} - - name: Download nginx-agent binaries - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 - with: - name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} - path: binaries - - - name: Gather build dependencies - id: godeps - run: | - ls -la binaries - echo "agent_digest=$(cat binaries/nginx-agent.sha256)" >> $GITHUB_ENV - echo "agent_buildstart=$(cat binaries/nginx-agent.buildstart)" >> $GITHUB_ENV - echo "agent_buildend=$(cat binaries/nginx-agent.buildend)" >> $GITHUB_ENV - - echo "Checking dependencies..." - go version -m binaries/nginx-agent > goversionm_${{ github.run_id }}_${{ github.run_number }}.txt - ls -l goversionm_*.txt - echo "goversionm=$(find -type f -name "goversionm*.txt" | head -n 1)" >> $GITHUB_ENV - - - name: Generate Assertion Document - id: assertiondoc - uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 - with: - artifact-name: nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }} - artifact-digest: ${{ env.agent-digest }} - build-type: 'github' - builder-id: 'github.com' - builder-version: '${{env.GO_VERSION}}_test' - invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }} - artifactory-user: ${{ secrets.ARTIFACTORY_USER }} - artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }} - artifactory-url: ${{ secrets.ARTIFACTORY_URL }} - artifactory-repo: 'f5-nginx-go-local-approved-dependency' - assertion-doc-file: assertion_nginx-agent_${{ inputs.packageVersion }}_${{ matrix.osarch }}.json - build-content-path: ${{ env.goversionm }} - started-on: '${{ env.agent_buildstart }}' - finished-on: '${{ env.agent_buildend }}' - - - name: Sign and Store Assertion Document - id: sign - uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 - with: - assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} merge-release: if: ${{ needs.vars.outputs.create_pull_request == 'true' }} From 841012db47ec7c637c872ec74dbcee87e8ede61b Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 14:14:09 +0000 Subject: [PATCH 34/42] [skip ci] fix perms --- .github/workflows/assertion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index 4a3cacb30..16b9c7b0b 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-22.04 if: ${{ !github.event.pull_request.head.repo.fork }} permissions: - id-token: read + id-token: write contents: read env: GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL }}" From add37476cbbdb816ea4e9b8b28d3e88759333ae9 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 14:15:52 +0000 Subject: [PATCH 35/42] [skip ci] fix perms --- .github/workflows/release-branch.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 3b9180c75..9101dcca0 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -297,6 +297,9 @@ jobs: needs: [build-and-upload-packages] if : ${{ inputs.assertionDoc == true }} uses: ./.github/workflows/assertion.yml + permissions: + id-token: write + contents: read with: packageVersion: ${{ inputs.packageVersion }} secrets: From 903a2d9a75505d564fb0ce70377e74eaf2ae9812 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 15:21:28 +0000 Subject: [PATCH 36/42] [skip ci] allow run via dispatch, artifact id as input --- .github/workflows/assertion.yml | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index 16b9c7b0b..9fd23b546 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -1,6 +1,16 @@ name: Generate and Sign Assertion Document on: + workflow_dispatch: + inputs: + packageVersion: + description: 'Agent version' + type: string + required: true + artifactId: + description: 'Artifact ID' + type: string + required: false workflow_call: inputs: packageVersion: @@ -40,12 +50,20 @@ jobs: go-version-file: 'go.mod' cache: false - - name: Download nginx-agent binaries + - name: Download nginx-agent binary artifacts + if: ${{ inputs.artifactId == '' }} uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 with: name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} path: binaries + - name: Download nginx-agent binary artifact by ID + if: ${{ inputs.artifactId != '' }} + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 + with: + artifact-ids: '${{ inputs.artifactId }}' + path: binaries + - name: Gather build dependencies id: godeps run: | @@ -83,4 +101,3 @@ jobs: uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 with: assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} - path: ./artifacts From 8e653eb16491b4009c2e27c3dfa0e4ce1c48f71c Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 15:41:43 +0000 Subject: [PATCH 37/42] [skip ci] add run id for downloading artifacts --- .github/workflows/assertion.yml | 32 +++++++++++++++++----------- .github/workflows/release-branch.yml | 3 +++ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index 9fd23b546..b870f19c2 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -7,16 +7,30 @@ on: description: 'Agent version' type: string required: true - artifactId: - description: 'Artifact ID' + runId: + description: 'Run ID of the workflow that built the artifacts' type: string required: false + signAssertion: + description: 'Sign and store the assertion document' + type: boolean + required: false + default: false workflow_call: inputs: packageVersion: description: 'Agent version' type: string required: true + runId: + description: 'Run ID of the workflow that built the artifacts' + type: string + required: false + signAssertion: + description: 'Sign and store the assertion document' + type: boolean + required: false + default: false secrets: ARTIFACTORY_USER: required: true @@ -51,18 +65,11 @@ jobs: cache: false - name: Download nginx-agent binary artifacts - if: ${{ inputs.artifactId == '' }} - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 - with: - name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} - path: binaries - - - name: Download nginx-agent binary artifact by ID - if: ${{ inputs.artifactId != '' }} + if: ${{ inputs.runId != '' }} uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 with: - artifact-ids: '${{ inputs.artifactId }}' - path: binaries + github-token: ${{ github.token }} + run-id: ${{ inputs.runId }} - name: Gather build dependencies id: godeps @@ -98,6 +105,7 @@ jobs: - name: Sign and Store Assertion Document id: sign + if: ${{ inputs.signAssertion == true }} uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0 with: assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }} diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 9101dcca0..65e0a0c1c 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -244,6 +244,8 @@ jobs: VERSION: ${{ env.VERSION }} PACKAGE_BUILD: ${{ inputs.packageBuildNo }} run: | + echo "Run ID: ${{ github.run_id }}" + echo "Run Number: ${{ github.run_number }}" export PATH=$PATH:~/go/bin echo "$GPG_KEY" | base64 --decode > ${NFPM_SIGNING_KEY_FILE} make package @@ -302,6 +304,7 @@ jobs: contents: read with: packageVersion: ${{ inputs.packageVersion }} + runId: ${{ github.run_id }} secrets: ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} From f0b4f0a6bfb22a92a5a6e364ff22f4cca15974b0 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 16:01:20 +0000 Subject: [PATCH 38/42] [skip ci] list artifacts and download by name --- .github/workflows/assertion.yml | 4 +++- .github/workflows/release-branch.yml | 11 +++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index b870f19c2..f15210985 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -68,8 +68,10 @@ jobs: if: ${{ inputs.runId != '' }} uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 with: - github-token: ${{ github.token }} run-id: ${{ inputs.runId }} + github-token: ${{ github.token }} + name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} + path: binaries - name: Gather build dependencies id: godeps diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 65e0a0c1c..0b88bc75e 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -244,8 +244,6 @@ jobs: VERSION: ${{ env.VERSION }} PACKAGE_BUILD: ${{ inputs.packageBuildNo }} run: | - echo "Run ID: ${{ github.run_id }}" - echo "Run Number: ${{ github.run_number }}" export PATH=$PATH:~/go/bin echo "$GPG_KEY" | base64 --decode > ${NFPM_SIGNING_KEY_FILE} make package @@ -271,6 +269,15 @@ jobs: build/arm64/nginx-agent.buildstart build/arm64/nginx-agent.buildend + - name: List artifacts + run: | + echo "Run ID: ${{ github.run_id }}" + echo "Run Number: ${{ github.run_number }}" + echo "nginx-agent-binaries-${{ inputs.packageVersion }}-arm64" + find build/arm64 -type f -name "nginx-agent*" + echo "nginx-agent-binaries-${{ inputs.packageVersion }}-amd64" + find build/amd64 -type f -name "nginx-agent*" + - name: Install GPG tools if: ${{ inputs.publishPackages == true }} run: | From bfd0580f6ba5550d576c75b27dcee8adfead3bef Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Thu, 20 Nov 2025 16:13:56 +0000 Subject: [PATCH 39/42] make run id required --- .github/workflows/assertion.yml | 6 +++--- .github/workflows/release-branch.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index f15210985..87ccc4480 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -10,7 +10,7 @@ on: runId: description: 'Run ID of the workflow that built the artifacts' type: string - required: false + required: true signAssertion: description: 'Sign and store the assertion document' type: boolean @@ -68,10 +68,10 @@ jobs: if: ${{ inputs.runId != '' }} uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # 6.0.0 with: - run-id: ${{ inputs.runId }} - github-token: ${{ github.token }} name: nginx-agent-binaries-${{ inputs.packageVersion }}-${{ matrix.osarch }} path: binaries + run-id: ${{ inputs.runId }} + github-token: ${{ github.token }} - name: Gather build dependencies id: godeps diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 0b88bc75e..5ac24d62c 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -54,7 +54,7 @@ defaults: shell: bash concurrency: - group: ${{ github.ref_name }}-v3-release + group: ${{ github.ref_name }}-release cancel-in-progress: true permissions: From fb87b02e956ff4abf9da99e0b59c6212bc715341 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 21 Nov 2025 11:27:58 +0000 Subject: [PATCH 40/42] remove ref from checkout, use current commit or default branch --- .github/workflows/assertion.yml | 2 -- .github/workflows/release-branch.yml | 8 -------- 2 files changed, 10 deletions(-) diff --git a/.github/workflows/assertion.yml b/.github/workflows/assertion.yml index 87ccc4480..8c9c536fb 100644 --- a/.github/workflows/assertion.yml +++ b/.github/workflows/assertion.yml @@ -55,8 +55,6 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: improve-assertion-doc-generation - name: Setup go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 5ac24d62c..c88d7c535 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -73,8 +73,6 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: improve-assertion-doc-generation - name: Set variables id: vars @@ -98,8 +96,6 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: ${{ needs.vars.outputs.github_release == 'true' }} - with: - ref: improve-assertion-doc-generation - name: Create Draft Release uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -194,8 +190,6 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: ${{ needs.vars.outputs.tag_release == 'true' }} - with: - ref: improve-assertion-doc-generation - name: Tag release if: ${{ needs.vars.outputs.tag_release == 'true' }} @@ -215,8 +209,6 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - with: - ref: improve-assertion-doc-generation - name: Setup go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 From 132decfabbc750af6489760f51437d81b6b8adc2 Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 21 Nov 2025 11:37:24 +0000 Subject: [PATCH 41/42] ensure checkout uses inputs.releaseBranch in release branch workflow --- .github/workflows/release-branch.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index c88d7c535..5e089d01f 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -73,6 +73,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + ref: ${{ inputs.releaseBranch }} - name: Set variables id: vars @@ -96,6 +98,8 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: ${{ needs.vars.outputs.github_release == 'true' }} + with: + ref: ${{ inputs.releaseBranch }} - name: Create Draft Release uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 @@ -190,6 +194,8 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 if: ${{ needs.vars.outputs.tag_release == 'true' }} + with: + ref: ${{ inputs.releaseBranch }} - name: Tag release if: ${{ needs.vars.outputs.tag_release == 'true' }} @@ -209,6 +215,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + with: + ref: ${{ inputs.releaseBranch }} - name: Setup go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 From 760a1f12e34db20e9e1c8a7a595bc35c5bc96fac Mon Sep 17 00:00:00 2001 From: Sean Breen Date: Fri, 21 Nov 2025 13:42:31 +0000 Subject: [PATCH 42/42] use self-hosted runner for build --- .github/workflows/release-branch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 5e089d01f..64398769e 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -207,7 +207,7 @@ jobs: build-and-upload-packages: name: Build and upload release packages - runs-on: ubuntu-22.04 + runs-on: ubuntu-22.04-amd64 needs: [vars,release-draft,tag-release] permissions: id-token: write